1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
|
Quick notes:
--------------------------------------------
[tonu@x153 mysql-4.0]$ cat /etc/my.cnf
[mysqld]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/server-cert.pem
ssl-key=SSL/server-key.pem
[mysql]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/client-cert.pem
ssl-key=SSL/client-key.pem
[mysqldump]
ssl-ca=SSL/cacert.pem
ssl-cert=SSL/client-cert.pem
ssl-key=SSL/client-key.pem
[tonu@x153 mysql-4.0]$
--------------------------------------------
To remove passwords from keyfiles:
[tonu@x153 SSL]$ openssl rsa -inform pem < server-req.pem > server-key.pem
read RSA key
Enter PEM pass phrase:
writing RSA key
[tonu@x153 SSL]$
--------------------------------------------
To run server:
sql/mysqld --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/server-cert.pem --ssl-key=SSL/server-key.pem --skip-grant --debug='d:t:O,-' > /tmp/mysqld.trace
--------------------------------------------
To run client:
client/mysql --ssl-ca=SSL/cacert.pem --ssl-cert=SSL/server-cert.pem --ssl-key=SSL/server-key.pem --debug='d:t:O,/tmp/client.trace' -h 127.0.0.1
--------------------------------------------
openssl s_client -host 127.0.0.1 -port 1111 -debug -verify 1 -cert ../SSL/client-cert.pem -key ../SSL/client-key.pem -CAfile ../SSL/cacert.pem -pause -showcerts -state
--------------------------------------------
openssl s_server -port 1111 -cert ../SSL/server-cert.pem -key ../SSL/server-key.pem
--------------------------------------------
CA stuff:
[tonu@x153 bin]$ pwd
/usr/local/ssl/bin
[tonu@x153 bin]$
[tonu@x153 bin]$ ./CA.sh
[tonu@x153 bin]$ ./CA.sh -h
usage: CA -newcert|-newreq|-newca|-sign|-verify
[tonu@x153 bin]$
[root@x153 bin]# ./CA.sh -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
.++++++
................++++++
writing new private key to './demoCA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
phrase is too short, needs to be at least 4 chars
Enter PEM pass phrase:
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
ountry Name (2 letter code) [AU]:FI
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Helsinki
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MySQL Finland AB
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Tonu Samuel
Email Address []:tonu@mysql.com
[root@x153 bin]#
[root@x153 bin]# ls -la demoCA/
total 13
drwxr-xr-x 6 root root 232 Jun 24 18:50 ./
drwxr-xr-x 3 root root 2136 Jun 24 18:41 ../
-rw-r--r-- 1 root root 1241 Jun 24 18:50 cacert.pem
drwxr-xr-x 2 root root 48 Jun 24 18:41 certs/
drwxr-xr-x 2 root root 48 Jun 24 18:41 crl/
-rw-r--r-- 1 root root 0 Jun 24 18:44 index.txt
drwxr-xr-x 2 root root 48 Jun 24 18:41 newcerts/
drwxr-xr-x 2 root root 80 Jun 24 18:44 private/
-rw-r--r-- 1 root root 3 Jun 24 18:44 serial
[root@x153 bin]#
[root@x153 bin]# ls -la demoCA/private/
total 5
drwxr-xr-x 2 root root 80 Jun 24 18:44 ./
drwxr-xr-x 6 root root 232 Jun 24 18:50 ../
-rw-r--r-- 1 root root 963 Jun 24 18:50 cakey.pem
[root@x153 bin]#
[root@x153 bin]# ./CA.sh -newreq
Using configuration from /usr/lib/ssl/openssl.cnf
Generating a 1024 bit RSA private key
..................++++++
........................++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase: <- new key password, not CA
Verifying password - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:EE
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:Tallinn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Noname
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:Mr Noname
Email Address []:a@b.c
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request (and private key) is in newreq.pem
[root@x153 bin]#
[root@x153 bin]# ls -la newreq.pem
-rw-r--r-- 1 root root 1623 Jun 24 18:54 newreq.pem
[root@x153 bin]#
[root@x153 bin]# ./CA.sh -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter PEM pass phrase: <- CA's one!
Check that the request matches the signature
Signature ok
The Subjects Distinguished Name is as follows
countryName :PRINTABLE:'EE'
stateOrProvinceName :PRINTABLE:'Some-State'
localityName :PRINTABLE:'Tallinn'
organizationName :PRINTABLE:'Noname'
commonName :PRINTABLE:'Mr Noname'
emailAddress :IA5STRING:'a@b.c'
Certificate is to be certified until Jun 24 15:50:23 2002 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=FI, ST=Some-State, L=Helsinki, O=MySQL Finland AB, CN=Tonu Samuel/Email=tonu@mysql.com
Validity
Not Before: Jun 24 15:50:23 2001 GMT
Not After : Jun 24 15:50:23 2002 GMT
Subject: C=EE, ST=Some-State, L=Tallinn, O=Noname, CN=Mr Noname/Email=a@b.c
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:ab:3b:7d:5b:6c:93:f6:46:1a:2c:46:73:6f:89:
8a:99:bb:e9:6b:94:0d:74:aa:aa:c4:5c:a2:61:cf:
56:bb:a1:a9:5a:37:c4:4e:b2:ec:5c:18:3a:a4:8d:
af:3d:23:66:7c:85:7f:d1:f2:e3:fc:16:a7:4c:a2:
d6:45:06:92:75:d8:a2:3b:f9:aa:77:da:26:b9:87:
e0:df:50:54:e4:36:9f:35:87:39:8e:a6:7c:3e:a8:
e4:49:1a:76:c2:6f:73:0b:22:93:2a:04:67:0d:7d:
ae:34:5c:fe:7c:29:b8:a2:fe:1e:ef:d1:0c:4d:dd:
5b:7a:67:b0:0a:22:88:a0:af
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
83:D1:0D:52:0F:DE:61:2D:A6:10:20:B8:46:0C:77:D5:D2:D0:BE:20
X509v3 Authority Key Identifier:
keyid:A5:0A:D6:72:B5:DF:E4:C2:2B:7B:07:5E:D3:4D:52:07:E1:83:6B:7F
DirName:/C=FI/ST=Some-State/L=Helsinki/O=MySQL Finland AB/CN=Tonu Samuel/Email=tonu@mysql.com
serial:00
Signature Algorithm: md5WithRSAEncryption
60:85:f7:d0:54:2a:67:88:0e:37:a6:a8:8e:fd:a0:c9:a1:d7:
c6:fc:4c:2e:59:8d:88:6d:69:0a:b8:b2:67:5f:81:94:39:0e:
ab:67:fc:8b:62:de:85:f6:b3:8c:2d:1a:e3:dc:28:fc:f5:99:
39:f0:3d:50:ca:88:c0:8e:f8:c2:02:5d:34:19:63:9f:c4:a2:
f6:a8:81:c9:8d:6d:bd:c4:42:4a:0c:49:5a:cc:24:ea:65:80:
dd:79:20:89:9e:ea:6b:80:7a:86:f9:bb:6d:24:3c:80:13:5b:
e6:16:fc:3d:8d:f6:16:ea:33:25:c6:90:20:81:a4:b0:15:2e:
9c:1c
-----BEGIN CERTIFICATE-----
MIIDfjCCAuegAwIBAgIBATANBgkqhkiG9w0BAQQFADCBhTELMAkGA1UEBhMCRkkx
EzARBgNVBAgTClNvbWUtU3RhdGUxETAPBgNVBAcTCEhlbHNpbmtpMRkwFwYDVQQK
ExBNeVNRTCBGaW5sYW5kIEFCMRQwEgYDVQQDEwtUb251IFNhbXVlbDEdMBsGCSqG
SIb3DQEJARYOdG9udUBteXNxbC5jb20wHhcNMDEwNjI0MTU1MDIzWhcNMDIwNjI0
MTU1MDIzWjBvMQswCQYDVQQGEwJFRTETMBEGA1UECBMKU29tZS1TdGF0ZTEQMA4G
A1UEBxMHVGFsbGlubjEPMA0GA1UEChMGTm9uYW1lMRIwEAYDVQQDEwlNciBOb25h
bWUxFDASBgkqhkiG9w0BCQEWBWFAYi5jMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
iQKBgQCrO31bbJP2RhosRnNviYqZu+lrlA10qqrEXKJhz1a7oalaN8ROsuxcGDqk
ja89I2Z8hX/R8uP8FqdMotZFBpJ12KI7+ap32ia5h+DfUFTkNp81hzmOpnw+qORJ
GnbCb3MLIpMqBGcNfa40XP58Kbii/h7v0QxN3Vt6Z7AKIoigrwIDAQABo4IBETCC
AQ0wCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQg
Q2VydGlmaWNhdGUwHQYDVR0OBBYEFIPRDVIP3mEtphAguEYMd9XS0L4gMIGyBgNV
HSMEgaowgaeAFKUK1nK13+TCK3sHXtNNUgfhg2t/oYGLpIGIMIGFMQswCQYDVQQG
EwJGSTETMBEGA1UECBMKU29tZS1TdGF0ZTERMA8GA1UEBxMISGVsc2lua2kxGTAX
BgNVBAoTEE15U1FMIEZpbmxhbmQgQUIxFDASBgNVBAMTC1RvbnUgU2FtdWVsMR0w
GwYJKoZIhvcNAQkBFg50b251QG15c3FsLmNvbYIBADANBgkqhkiG9w0BAQQFAAOB
gQBghffQVCpniA43pqiO/aDJodfG/EwuWY2IbWkKuLJnX4GUOQ6rZ/yLYt6F9rOM
LRrj3Cj89Zk58D1QyojAjvjCAl00GWOfxKL2qIHJjW29xEJKDElazCTqZYDdeSCJ
nuprgHqG+bttJDyAE1vmFvw9jfYW6jMlxpAggaSwFS6cHA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem
[root@x153 bin]# ls -la demoCA/newcerts/
total 5
drwxr-xr-x 2 root root 72 Jun 24 18:58 ./
drwxr-xr-x 6 root root 296 Jun 24 18:58 ../
-rw-r--r-- 1 root root 3533 Jun 24 18:58 01.pem
[root@x153 bin]#
[root@x153 mysql-4.0]# ./sql/mysqld --ssl-cert=SSL/server-cert.pem --ssl-ca=SSL/cacert.pem --ssl-ke
y=SSL/server-req.pem -L /home/tonu/mysql-4.0/sql/share/english/ -u root
Enter PEM pass phrase:
./sql/mysqld: ready for connections
[tonu@x153 mysql-4.0]$ client/mysql --ssl-key=SSL/client-req.pem --ssl-ca=SSL/cacert.pem --ssl-cert
=SSL/client-cert.pem
Enter PEM pass phrase:
ERROR:
[tonu@x153 mysql-4.0]$
-8<------------------------
SSL encrypts data between MySQL server and client.
You need openssl (formerly SSLeay) for MySQL SSL support. Development
and testing was done on openssl version 0.9.3a
To compile MySQL one must do:
./configure --with-openssl=/usr
or
./configure --with-openssl=yes
There are sample keys and certificates included with MySQL tarball in
directory ./SSL. They are meant to be for quick start and
testing only. Using them in production environment means same as not
using encryption. This is because private keys are publicly
accessible for everyone. You must use openssl distribution for new key
and certificate generation for both client and server.
----------- for manual: ---------------------
*New API calls:*
mysql_ssl_set() - Set SSL properties (key, certificate,
certificates authority certificate). Must be called before
mysql_real_connect();
mysql_ssl_clear() - Clear and free resources occupied by
mysql_ssl_set() API call.
char *mysql_ssl_cipher(MYSQL *) - returns cipher in use. For example
"DES-CDC3-SHA" means that you have combined triple DES symmetric
algorithm and SHA
hashing algorithm.
*New command line switches:*
--ssl Use SSL for connection (automatically set with
other flags. This means one can use encrypted connection without strong
cryptological authentication. Normally one must use all switches
together including ssl-key, ssl-cert and ssl-ca and never mind about
--ssl because this is assumed by defult if any of them (--ssl-...)
included.
--ssl-key X509 key in PEM format (implies --ssl)
--ssl-cert X509 cert in PEM format (implies --ssl)
--ssl-ca CA file in PEM format (check OpenSSL docs,
implies --ssl)
--ssl-capath CA directory (check OpenSSL docs, implies --ssl
----------------
This is about using SSL in MySQL privilege system. My idea is to make
possible use of x509 certificates and keys instead of MySQL native
passwords
Some basic theory about crypt, SSL and x509:
x509 is standard for certificates. SSL is standard for secure
communication. Certificates are issued by someone anyone can trust. This
trusted party is called "Certificate Authority" or "CA". This is
someone, we MUST trust. Everyone must have some "fingerprint" of CA (so
called "CA certificate" or "CA cert") using which one can verify
authenticity of other
certificates issued by this CA. CA uses his power to give certificates
to persons (they can be physical (like "monty") or logical (like some
process). Person is identified by "subject" like
"/C=EE/ST=Harjumaa/L=Tallinn/O=MySQL client bogus certificate/CN=Tonu
Samuel/Email=<EMAIL: PROTECTED>". and signed cryptologically. This sign can be
verified using CA-cert. So, if we trust CA, then we can trust identity
of user.
There can be many CA-s (usually not but who knows). Also there can be
some users we don`t trust or have different privileges. This means we
must have one table to hold CA-certs and other table to hold so called
"subjects" (users). I think it`s a good idea to use existing structure
of host/user/db/field and add some x509 relationship. Then we can
use usual simple user/host pair or x509 subject/CA pair.
So I think user must grant rights using old method GRANT blabla ON
blabla TO blabla IDENTIFIED BY blabla
or new way:
-----------8<---------------------------
GRANT blabla ON blabla TO blabla
IDENTIFIED BY X509 SUBJECT "/C=EE/ST=Harjumaa/L=Tallinn/O=MySQL client
bogus certificate/CN=Tonu Samuel/Email=<EMAIL: PROTECTED>" AND ISSUER
"/C=EE/ST=Harjumaa/L=Tallinn/O=TCX AB/CN=Tonu
Samuel/Email=<EMAIL: PROTECTED>";
-----------8<---------------------------
Please note the difference in Subject and Issuer. This command requests
user to authenticate itself with exact subject and exact certificate
issuer. Next possibility is just have any certificate of some good CA:
-----------8<---------------------------
GRANT blabla ON blabla TO blabla IDENTIFIED BY X509 ISSUER
"/C=EE/ST=Harjumaa/L=Tallinn/O=TCX
AB/CN=Tonu Samuel/Email=<EMAIL: PROTECTED>";
-----------8<---------------------------
or if any registered CA is good enough (usual case when only one CA is
registered)
but we care about exact user, then something like:
-----------8<---------------------------
GRANT blabla ON blabla TO blabla IDENTIFIED BY X509 SUBJECT
"/C=EE/ST=Harjumaa/L=Tallinn/O=MySQL client
bogus certificate/CN=Tonu Samuel/Email=<EMAIL: PROTECTED>";
-----------8<---------------------------
And case if user must authenticate itself but we don`t care about exact
person until he have some certificate issued by CA registered in our
system:
-----------8<---------------------------
GRANT blabla ON blabla TO blabla IDENTIFIED BY X509;
-----------8<---------------------------
Then additionally we need one exception. Let`s assume we need SSL
encryption
for preventing eavesdropping but we don`t care who it is at all. We need
privilege to exclude all non-SSL users but we accept anyone using SSL.
How
this must be done in GRANT syntax? Maybe:
-----------8<---------------------------
GRANT blabla ON blabla TO blabla
IDENTIFIED BY blabla AND USING SSL
-----------8<---------------------------
But maybe we want to add in future possibility to check different
algorithms and key lengths? Something like:
-----------8<---------------------------
GRANT blabla ON blabla TO blabla IDENTIFIED BY blabla AND USING SSL WITH
CIPHER "DES-CBC3-SHA" OR "DES-CBC3-MD5"
-----------8<---------------------------
Also we need some command to include/exclude CA certificates. This must
be some commands like INSERT/DELETE/UPDATE/REPLACE to do it.
All examples is given for clarify my problem. I asking for help because
I don`t know
any similar command in other SQL-s.
------------8<------------------------
So, at moment SSL communications is ready and working. I don`t have this
command iterface at moment yet and this can be changed a lot if someone
can suggest good idea or reason to change them. We are ready to listen
every opinion.
About Kerberos: I just don`t know much about it. I have to read this
again before I can comment. I never used it itself and forgot most of
theory. Sorry. Anyway now the problem/need is known and I will put
thinking about this in personal TODO.
|
